Publicité
Publicité
Format du document : text/plain
Prévisualisation
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by latou_000 (28-03-2018 12:37:57)
Running from C:\Users\latou_000\Desktop
Windows 8.1 Pro (Update) (X64) (2014-10-27 03:37:28)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-3477242233-1307385565-363532214-500 - Administrator - Disabled)
Guest (S-1-5-21-3477242233-1307385565-363532214-501 - Limited - Disabled)
latou_000 (S-1-5-21-3477242233-1307385565-363532214-1003 - Administrator - Enabled) => C:\Users\latou_000
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2014-07-04] (Advanced Micro Devices, Inc.)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {72946C16-4999-4F3F-9D81-2634F610F131} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-11] (Google Inc.)
Task: {93DD784C-9865-4E77-9F6D-4DCADE7BC5EE} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-27] (Apple Inc.)
Task: {A1D0E68F-3FD3-455D-B7E0-EF79913AE982} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-11] (Google Inc.)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)
ShortcutWithArgument: C:\Users\latou_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Applications Chrome\Google Play Films et séries.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=gdijeikdkaembjbdobgfkoidjkpbmlkd
==================== Loaded Modules (Whitelisted) ==============
2014-07-04 23:33 - 2014-07-04 23:33 - 000127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 000085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 001328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-03-25 09:24 - 2018-03-20 01:00 - 004435288 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libglesv2.dll
2018-03-25 09:24 - 2018-03-20 01:00 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 08:25 - 2013-08-22 08:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-3477242233-1307385565-363532214-1003\Control Panel\Desktop\\Wallpaper -> C:\Users\latou_000\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{638BEB8C-AFF0-4462-AA00-5E694D3D43BC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{FD72B40C-DAD0-478E-810A-528A6D08CD1B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{BC06380F-7AAB-4376-A4CE-0DA9E7C89E1A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{81D1E497-A74C-4EF7-ABC3-5149E175A6A7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8A24367E-2651-453F-9EA3-6988B07B9A29}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{EF2CA66B-8920-46F8-B174-78C9349EBC75}C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{D4DE50C0-D2BF-4810-BEAE-6406BE318203}C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe
FirewallRules: [{DD252D52-18BF-4B8C-8B6D-F98BB84AD9C8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{E2253E3F-E6D1-4E59-8C08-F116785B174B}] => (Allow) LPort=1688
==================== Restore Points =========================
21-12-2016 23:34:58 Windows Update
25-03-2018 13:42:34 Windows Update
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (03/27/2018 04:22:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WWAHost.exe version 6.3.9600.17415 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: ea4
Start Time: 01d3c61183e09573
Termination Time: 4294967295
Application Path: C:\Windows\System32\WWAHost.exe
Report Id: f13d7525-3204-11e8-82a0-74d02bad3b8d
Faulting package full name: winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: Windows.Store
Error: (03/27/2018 04:22:24 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: MARWA)
Description: Package winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy+Windows.Store was terminated because it took too long to suspend.
Error: (03/27/2018 03:00:57 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Service_KMS.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean, Boolean, Boolean)
at System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean, Boolean, Boolean)
at System.IO.StreamWriter.CreateFile(System.String, Boolean, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding)
at System.IO.File.InternalAppendAllText(System.String, System.String, System.Text.Encoding)
at Service_KMS.Logging.FileLogger.LogMessage(System.String)
at Service_KMS.Service.ScheduledTask()
at Service_KMS.Service.TaskLoop()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()
Error: (03/27/2018 03:00:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Service_KMS.exe, version: 11.0.0.0, time stamp: 0x52a8d15d
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x00000000
Fault offset: 0x00007ffce9de529f
Faulting process id: 0x5c8
Faulting application start time: 0x01d3c60637a9b922
Faulting application path: C:\Program Files\KMSpico\Service_KMS.exe
Faulting module path: unknown
Report Id: 847ee466-31f9-11e8-829f-74d02bad3b8d
Faulting package full name:
Faulting package-relative application ID:
Error: (03/27/2018 02:25:46 AM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume System Reserved was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)
Error: (03/25/2018 03:05:15 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 11d0
Start Time: 01d3c47323a6f760
Termination Time: 4294967295
Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe
Report Id: cddb2eea-3067-11e8-829e-74d02bad3b8d
Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe
Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1
Error: (03/25/2018 02:54:39 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 765968
Error: (03/25/2018 02:54:39 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 765968
System errors:
=============
Error: (03/27/2018 05:02:36 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4
Error: (03/27/2018 03:02:31 PM) (Source: Microsoft-Windows-Eventlog) (EventID: 30) (User: NT AUTHORITY)
Description: The event logging service encountered an error (5) while enabling publisher {0BF2FB94-7B60-4B4D-9766-E82F658DF540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.
Error: (03/27/2018 03:02:17 PM) (Source: Microsoft-Windows-Eventlog) (EventID: 30) (User: NT AUTHORITY)
Description: The event logging service encountered an error (5) while enabling publisher {0BF2FB94-7B60-4B4D-9766-E82F658DF540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.
Error: (03/27/2018 03:01:03 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Service KMSELDI service terminated unexpectedly. It has done this 1 time(s).
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Windows Defender:
===================================
Date: 2018-03-27 15:25:25.762
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:2352,ProcessStart:131666544376201422;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\latou_000\AppData\Roaming\ZHP\ZHPCleaner.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 15:03:31.412
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:2352,ProcessStart:131666544376201422;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files\KMSpico\Service_KMS.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 15:01:04.107
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\Service_KMS.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files\KMSpico\Service_KMS.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 11:59:06.077
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:1520,ProcessStart:131664607536958637;process:_pid:2568,ProcessStart:131664607700792180;process:_pid:2580,ProcessStart:131665571420134844;process:_pid:4972,ProcessStart:131665967421971473;process:_pid:4976,ProcessStart:131665769425072226;process:_pid:5912,ProcessStart:131666435414891129;process:_pid:7624,ProcessStart:131665103413740376;process:_pid:8080,ProcessStart:131664905420406815;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOW
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Program Files\KMSpico\AutoPico.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 11:59:02.435
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:1520,ProcessStart:131664607536958637;process:_pid:2568,ProcessStart:131664607700792180;process:_pid:2580,ProcessStart:131665571420134844;process:_pid:4972,ProcessStart:131665967421971473;process:_pid:4976,ProcessStart:131665769425072226;process:_pid:7624,ProcessStart:131665103413740376;process:_pid:8080,ProcessStart:131664905420406815;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Windows\System32\taskeng.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2016-12-26 20:07:50.292
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 116.65.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version:
Previous Engine Version: 2.1.12706.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Date: 2016-12-26 20:07:50.276
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1816.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Date: 2016-12-26 20:07:50.276
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1816.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Date: 2016-12-26 20:07:50.167
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1816.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
Date: 2016-12-26 20:05:33.351
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 116.65.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version:
Previous Engine Version: 2.1.12706.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
CodeIntegrity:
===================================
Date: 2018-03-28 12:40:00.061
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:52.214
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:44.783
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:37.276
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:31.005
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:25.044
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-27 14:52:17.098
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-27 14:52:08.296
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
==================== Memory info ===========================
Processor: AMD C-70 APU with Radeon(tm) HD Graphics
Percentage of memory in use: 52%
Total physical RAM: 3673.14 MB
Available physical RAM: 1752.96 MB
Total Virtual: 4313.14 MB
Available Virtual: 2395.24 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:111.45 GB) (Free:78.87 GB) NTFS
Drive d: (PRETTY_LITTLE_LIARS_SEASON2_D1) (CDROM) (Total:7.74 GB) (Free:0 GB) UDF
\\?\Volume{3aa373f9-b57f-11e3-824c-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.09 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 111.8 GB) (Disk ID: 47A3C11C)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.4 GB) - (Type=07 NTFS)
==================== End of Addition.txt ============================
Ran by latou_000 (28-03-2018 12:37:57)
Running from C:\Users\latou_000\Desktop
Windows 8.1 Pro (Update) (X64) (2014-10-27 03:37:28)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-3477242233-1307385565-363532214-500 - Administrator - Disabled)
Guest (S-1-5-21-3477242233-1307385565-363532214-501 - Limited - Disabled)
latou_000 (S-1-5-21-3477242233-1307385565-363532214-1003 - Administrator - Enabled) => C:\Users\latou_000
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 65.0.3325.181 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\atiacm64.dll [2014-07-04] (Advanced Micro Devices, Inc.)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {72946C16-4999-4F3F-9D81-2634F610F131} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-11] (Google Inc.)
Task: {93DD784C-9865-4E77-9F6D-4DCADE7BC5EE} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-27] (Apple Inc.)
Task: {A1D0E68F-3FD3-455D-B7E0-EF79913AE982} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-02-11] (Google Inc.)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)
ShortcutWithArgument: C:\Users\latou_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Applications Chrome\Google Play Films et séries.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory=Default --app-id=gdijeikdkaembjbdobgfkoidjkpbmlkd
==================== Loaded Modules (Whitelisted) ==============
2014-07-04 23:33 - 2014-07-04 23:33 - 000127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 000085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-12-17 19:38 - 2015-12-17 19:38 - 001328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2018-03-25 09:24 - 2018-03-20 01:00 - 004435288 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libglesv2.dll
2018-03-25 09:24 - 2018-03-20 01:00 - 000099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 08:25 - 2013-08-22 08:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-3477242233-1307385565-363532214-1003\Control Panel\Desktop\\Wallpaper -> C:\Users\latou_000\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: Off)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{638BEB8C-AFF0-4462-AA00-5E694D3D43BC}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{FD72B40C-DAD0-478E-810A-528A6D08CD1B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{BC06380F-7AAB-4376-A4CE-0DA9E7C89E1A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{81D1E497-A74C-4EF7-ABC3-5149E175A6A7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{8A24367E-2651-453F-9EA3-6988B07B9A29}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [TCP Query User{EF2CA66B-8920-46F8-B174-78C9349EBC75}C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{D4DE50C0-D2BF-4810-BEAE-6406BE318203}C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\marwa rmaih\appdata\roaming\spotify\spotify.exe
FirewallRules: [{DD252D52-18BF-4B8C-8B6D-F98BB84AD9C8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{E2253E3F-E6D1-4E59-8C08-F116785B174B}] => (Allow) LPort=1688
==================== Restore Points =========================
21-12-2016 23:34:58 Windows Update
25-03-2018 13:42:34 Windows Update
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (03/27/2018 04:22:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WWAHost.exe version 6.3.9600.17415 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: ea4
Start Time: 01d3c61183e09573
Termination Time: 4294967295
Application Path: C:\Windows\System32\WWAHost.exe
Report Id: f13d7525-3204-11e8-82a0-74d02bad3b8d
Faulting package full name: winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: Windows.Store
Error: (03/27/2018 04:22:24 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 2484) (User: MARWA)
Description: Package winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy+Windows.Store was terminated because it took too long to suspend.
Error: (03/27/2018 03:00:57 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: Service_KMS.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.IOException
at System.IO.__Error.WinIOError(Int32, System.String)
at System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean, Boolean, Boolean)
at System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean, Boolean, Boolean)
at System.IO.StreamWriter.CreateFile(System.String, Boolean, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32, Boolean)
at System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding)
at System.IO.File.InternalAppendAllText(System.String, System.String, System.Text.Encoding)
at Service_KMS.Logging.FileLogger.LogMessage(System.String)
at Service_KMS.Service.ScheduledTask()
at Service_KMS.Service.TaskLoop()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
at System.Threading.ThreadHelper.ThreadStart()
Error: (03/27/2018 03:00:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Service_KMS.exe, version: 11.0.0.0, time stamp: 0x52a8d15d
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x00000000
Fault offset: 0x00007ffce9de529f
Faulting process id: 0x5c8
Faulting application start time: 0x01d3c60637a9b922
Faulting application path: C:\Program Files\KMSpico\Service_KMS.exe
Faulting module path: unknown
Report Id: 847ee466-31f9-11e8-829f-74d02bad3b8d
Faulting package full name:
Faulting package-relative application ID:
Error: (03/27/2018 02:25:46 AM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )
Description: The volume System Reserved was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)
Error: (03/25/2018 03:05:15 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 11d0
Start Time: 01d3c47323a6f760
Termination Time: 4294967295
Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.exe
Report Id: cddb2eea-3067-11e8-829e-74d02bad3b8d
Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe
Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1
Error: (03/25/2018 02:54:39 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 765968
Error: (03/25/2018 02:54:39 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 765968
System errors:
=============
Error: (03/27/2018 05:02:36 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4
Error: (03/27/2018 03:02:31 PM) (Source: Microsoft-Windows-Eventlog) (EventID: 30) (User: NT AUTHORITY)
Description: The event logging service encountered an error (5) while enabling publisher {0BF2FB94-7B60-4B4D-9766-E82F658DF540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.
Error: (03/27/2018 03:02:17 PM) (Source: Microsoft-Windows-Eventlog) (EventID: 30) (User: NT AUTHORITY)
Description: The event logging service encountered an error (5) while enabling publisher {0BF2FB94-7B60-4B4D-9766-E82F658DF540} to channel Microsoft-Windows-Kernel-ShimEngine/Operational. This does not affect channel operation, but does affect the ability of the publisher to raise events to the channel. One common reason for this error is that the Provider is using ETW Provider Security and has not granted enable permissions to the Event Log service identity.
Error: (03/27/2018 03:01:03 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Service KMSELDI service terminated unexpectedly. It has done this 1 time(s).
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Error: (03/27/2018 02:53:01 PM) (Source: DCOM) (EventID: 10010) (User: MARWA)
Description: The server {4545DEA0-2DFC-4906-A728-6D986BA399A9} did not register with DCOM within the required timeout.
Windows Defender:
===================================
Date: 2018-03-27 15:25:25.762
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:2352,ProcessStart:131666544376201422;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Users\latou_000\AppData\Roaming\ZHP\ZHPCleaner.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 15:03:31.412
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:2352,ProcessStart:131666544376201422;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files\KMSpico\Service_KMS.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 15:01:04.107
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\Service_KMS.exe
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: Real-Time Protection
Process Name: C:\Program Files\KMSpico\Service_KMS.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 11:59:06.077
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:1520,ProcessStart:131664607536958637;process:_pid:2568,ProcessStart:131664607700792180;process:_pid:2580,ProcessStart:131665571420134844;process:_pid:4972,ProcessStart:131665967421971473;process:_pid:4976,ProcessStart:131665769425072226;process:_pid:5912,ProcessStart:131666435414891129;process:_pid:7624,ProcessStart:131665103413740376;process:_pid:8080,ProcessStart:131664905420406815;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOW
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Program Files\KMSpico\AutoPico.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2018-03-27 11:59:02.435
Description:
Windows Defender has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=HackTool:Win32/AutoKMS&threatid=2147685180&enterprise=0
Name: HackTool:Win32/AutoKMS
ID: 2147685180
Severity: Medium
Category: Tool
Path: file:_C:\Program Files\KMSpico\AutoPico.exe;file:_C:\Program Files\KMSpico\KMSELDI.exe;file:_C:\Program Files\KMSpico\Service_KMS.exe;file:_C:\Windows\System32\Tasks\AutoPico Daily Restart;process:_pid:1520,ProcessStart:131664607536958637;process:_pid:2568,ProcessStart:131664607700792180;process:_pid:2580,ProcessStart:131665571420134844;process:_pid:4972,ProcessStart:131665967421971473;process:_pid:4976,ProcessStart:131665769425072226;process:_pid:7624,ProcessStart:131665103413740376;process:_pid:8080,ProcessStart:131664905420406815;regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C55EBA9-27B9-48DB-A7EC-BDB1B5C703AA};regkey:_HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart;regkey:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1;service:_Service KMSELDI;taskscheduler:_C:\Windows\System32\Tasks\AutoPico Daily Restart;uninstall:_HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KMSpico_is1
Detection Origin: Local machine
Detection Type: Concrete
Detection Source: System
Process Name: C:\Windows\System32\taskeng.exe
Signature Version: AV: 1.263.1550.0, AS: 1.263.1550.0, NIS: 119.0.0.0
Engine Version: AM: 1.1.14600.4, NIS: 2.1.14600.4
Date: 2016-12-26 20:07:50.292
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 116.65.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version:
Previous Engine Version: 2.1.12706.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Date: 2016-12-26 20:07:50.276
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1816.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiSpyware
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Date: 2016-12-26 20:07:50.276
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1816.0
Update Source: Microsoft Malware Protection Center
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
Date: 2016-12-26 20:07:50.167
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 1.231.1816.0
Update Source: Microsoft Update Server
Signature Type: AntiVirus
Update Type: Full
Current Engine Version:
Previous Engine Version: 1.1.13202.0
Error code: 0x8024402c
Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
Date: 2016-12-26 20:05:33.351
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version: 116.65.0.0
Update Source: Microsoft Malware Protection Center
Signature Type: Network Inspection System
Update Type: Full
Current Engine Version:
Previous Engine Version: 2.1.12706.0
Error code: 0x80072ee7
Error description: The server name or address could not be resolved
CodeIntegrity:
===================================
Date: 2018-03-28 12:40:00.061
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:52.214
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:44.783
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:37.276
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:31.005
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-28 12:39:25.044
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-27 14:52:17.098
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2018-03-27 14:52:08.296
Description:
Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
==================== Memory info ===========================
Processor: AMD C-70 APU with Radeon(tm) HD Graphics
Percentage of memory in use: 52%
Total physical RAM: 3673.14 MB
Available physical RAM: 1752.96 MB
Total Virtual: 4313.14 MB
Available Virtual: 2395.24 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:111.45 GB) (Free:78.87 GB) NTFS
Drive d: (PRETTY_LITTLE_LIARS_SEASON2_D1) (CDROM) (Total:7.74 GB) (Free:0 GB) UDF
\\?\Volume{3aa373f9-b57f-11e3-824c-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.34 GB) (Free:0.09 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 111.8 GB) (Disk ID: 47A3C11C)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.4 GB) - (Type=07 NTFS)
==================== End of Addition.txt ============================